I have my Black Duck Audit reports; What’s next?

Black Duck® Open Source Audit reports provide a tremendous amount of information. We have been performing audits and delivering results to customers for over 15 years, and we continue to seek to provide vital information that is easily accessible and valuable. We recognize that the information only has value if clients understand how to leverage and utilize the information, both as part of and following a merger and acquisition (M&A) transaction, so this blog post provides information on how to read and understand your report.

The open source audit provides several important deliverables.

• Spreadsheet report. The multiple tabs of the spreadsheet run from high-level risk summaries with graphics to file-level details of discovered legal and security issues. The backbone is the software Bill of Materials (SBOM), a comprehensive list of items discovered via the audit, and their associated licenses.
• Executive summary. The executive summary is valuable for providing context surrounding interesting discoveries, as well as the language and terms used in OSS compliance audits.
• License text report. This report includes the text of all licenses relevant to the code in question. They are pulled from Black Duck Knowledgebase®, which contains over 2,700 open source licenses, from the Apache Software License to the Zimbra Public License. Importantly, any custom or unusual licensing language discovered during the audit is also included in this document. It’s a one-stop shop for attorneys reviewing results.
• Aggregated summary report (optional). This is the newest report that Black Duck includes for engagements that have multiple report deliveries. In the event you have 5, 10, or more audited applications (a quite common case in today’s technical due diligence landscape), the aggregated summary provides a quick reference as to which applications contain high-interest items upon which to focus valuable resources for review.

We have the reports; Now what?

You have received an email from the Black Duck project manager indicating the audit is complete. You download the reports. What’s next? How best to proceed and disseminate the information?

Summarize and prioritize

It is rare these days that an audit engagement consists of only a single application and set of reports. Even in the case of an individual product or application, these are often monolithic applications that consist of multiple, complex parts such as a web front end, a mobile client application, and data processing back-end elements. If the engagement consists of multiple applications, Black Duck recommends starting with the aggregated summary report so that you can quickly determine which of the detailed reports contain findings of interest or which reports indicate little risk, and therefore you can easily focus time and resources on what matters.

Schedule a post audit review call

The engagement doesn’t end once the reports are delivered. We encourage our customers to schedule a call to discuss the content of the reports and clarify any questions regarding findings of interest. If the audit reports are being distributed across teams or entities, we want to provide insight to best utilize and leverage the findings. We strongly urge the attendance of legal, engineering, and security stakeholders to understand and address any questions resulting from the audit. There are worksheets provided in the reports that are specific to each of these groups. And the reports provide information that will be necessary for the target to address concerns.

Review and remediate

Customers engage with us to discover the reuse and potential compliance and security issues surrounding the open source in the target’s software. In 2021, we performed audits for about 500 transactions. Across each of those transactions, we discovered open source 100% of the time, averaging nearly 600 items per application and over 1,700 per transaction. Importantly, 89% of those transactions involved the use of open source software that introduced license compliance risk. Eighty-five percent of transactions audited contained open source software discoveries with known security vulnerabilities.

In the end, having a plan on how best to address potential issues is necessary. In an M&A transaction, this part of the process will involve clearly conveying concerns to the target’s technical team. This may involve sharing a portion or the complete Black Duck report. In the case of open source license compliance issues, we have a short list of questions to explore in discussions of remediation with the target.

• Is the discovery actually in use and distributed to customers? We often see issues in unimportant code. It is remarkably common that discoveries made when performing a technical due diligence audit are in code that is not actually distributed and thus may not be a concern.
• Is an alternative available? Can the component, dependency, function, or method be replaced with an alternative under more favorable licensing? Can the functionality be rewritten? Might it be okay to drop all together?
• Can the component be incorporated in a manner that is compliant with the license terms? Commonly, statically linked LGPL libraries can be dynamically linked.
• Can licensing be obtained from the copyright holder?
• Is a version of the component available that is free of vulnerabilities? Generally, the answer is yes, and the report will point to that version.